<!DOCTYPE html><html lang="zh-CN" data-theme="light"><head><meta charset="UTF-8"><meta http-equiv="X-UA-Compatible" content="IE=edge"><meta name="viewport" content="width=device-width, initial-scale=1.0,viewport-fit=cover"><title>学海无涯苦作舟</title><meta name="author" content="小乾"><meta name="copyright" content="小乾"><meta name="format-detection" content="telephone=no"><meta name="theme-color" content="#ffffff"><meta property="og:type" content="website">
<meta property="og:title" content="学海无涯苦作舟">
<meta property="og:url" content="https://xiaoqian2000.gitee.io/blogs/page/2/index.html">
<meta property="og:site_name" content="学海无涯苦作舟">
<meta property="og:locale" content="zh_CN">
<meta property="og:image" content="https://xiaoqian2000.gitee.io/blogs/img/headpicture.png">
<meta property="article:author" content="小乾">
<meta name="twitter:card" content="summary">
<meta name="twitter:image" content="https://xiaoqian2000.gitee.io/blogs/img/headpicture.png"><link rel="shortcut icon" href="/blogs/img/headpicture.png"><link rel="canonical" href="https://xiaoqian2000.gitee.io/blogs/page/2/index.html"><link rel="preconnect" href="//cdn.jsdelivr.net"/><link rel="preconnect" href="//busuanzi.ibruce.info"/><link rel="stylesheet" href="/blogs/css/index.css"><link rel="stylesheet" href="https://cdn.jsdelivr.net/npm/@fortawesome/fontawesome-free/css/all.min.css" media="print" onload="this.media='all'"><link rel="stylesheet" href="https://cdn.jsdelivr.net/npm/@fancyapps/ui/dist/fancybox/fancybox.min.css" media="print" onload="this.media='all'"><script>const GLOBAL_CONFIG = {
  root: '/blogs/',
  algolia: undefined,
  localSearch: undefined,
  translate: undefined,
  noticeOutdate: undefined,
  highlight: {"plugin":"highlighjs","highlightCopy":true,"highlightLang":true,"highlightHeightLimit":false},
  copy: {
    success: '复制成功',
    error: '复制错误',
    noSupport: '浏览器不支持'
  },
  relativeDate: {
    homepage: false,
    post: false
  },
  runtime: '',
  dateSuffix: {
    just: '刚刚',
    min: '分钟前',
    hour: '小时前',
    day: '天前',
    month: '个月前'
  },
  copyright: undefined,
  lightbox: 'fancybox',
  Snackbar: undefined,
  source: {
    justifiedGallery: {
      js: 'https://cdn.jsdelivr.net/npm/flickr-justified-gallery/dist/fjGallery.min.js',
      css: 'https://cdn.jsdelivr.net/npm/flickr-justified-gallery/dist/fjGallery.min.css'
    }
  },
  isPhotoFigcaption: false,
  islazyload: false,
  isAnchor: false,
  percent: {
    toc: true,
    rightside: false,
  },
  autoDarkmode: false
}</script><script id="config-diff">var GLOBAL_CONFIG_SITE = {
  title: '学海无涯苦作舟',
  isPost: false,
  isHome: true,
  isHighlightShrink: false,
  isToc: false,
  postUpdate: '2023-09-19 18:27:22'
}</script><noscript><style type="text/css">
  #nav {
    opacity: 1
  }
  .justified-gallery img {
    opacity: 1
  }

  #recent-posts time,
  #post-meta time {
    display: inline !important
  }
</style></noscript><script>(win=>{
    win.saveToLocal = {
      set: function setWithExpiry(key, value, ttl) {
        if (ttl === 0) return
        const now = new Date()
        const expiryDay = ttl * 86400000
        const item = {
          value: value,
          expiry: now.getTime() + expiryDay,
        }
        localStorage.setItem(key, JSON.stringify(item))
      },

      get: function getWithExpiry(key) {
        const itemStr = localStorage.getItem(key)

        if (!itemStr) {
          return undefined
        }
        const item = JSON.parse(itemStr)
        const now = new Date()

        if (now.getTime() > item.expiry) {
          localStorage.removeItem(key)
          return undefined
        }
        return item.value
      }
    }
  
    win.getScript = url => new Promise((resolve, reject) => {
      const script = document.createElement('script')
      script.src = url
      script.async = true
      script.onerror = reject
      script.onload = script.onreadystatechange = function() {
        const loadState = this.readyState
        if (loadState && loadState !== 'loaded' && loadState !== 'complete') return
        script.onload = script.onreadystatechange = null
        resolve()
      }
      document.head.appendChild(script)
    })
  
    win.getCSS = (url,id = false) => new Promise((resolve, reject) => {
      const link = document.createElement('link')
      link.rel = 'stylesheet'
      link.href = url
      if (id) link.id = id
      link.onerror = reject
      link.onload = link.onreadystatechange = function() {
        const loadState = this.readyState
        if (loadState && loadState !== 'loaded' && loadState !== 'complete') return
        link.onload = link.onreadystatechange = null
        resolve()
      }
      document.head.appendChild(link)
    })
  
      win.activateDarkMode = function () {
        document.documentElement.setAttribute('data-theme', 'dark')
        if (document.querySelector('meta[name="theme-color"]') !== null) {
          document.querySelector('meta[name="theme-color"]').setAttribute('content', '#0d0d0d')
        }
      }
      win.activateLightMode = function () {
        document.documentElement.setAttribute('data-theme', 'light')
        if (document.querySelector('meta[name="theme-color"]') !== null) {
          document.querySelector('meta[name="theme-color"]').setAttribute('content', '#ffffff')
        }
      }
      const t = saveToLocal.get('theme')
    
          if (t === 'dark') activateDarkMode()
          else if (t === 'light') activateLightMode()
        
      const asideStatus = saveToLocal.get('aside-status')
      if (asideStatus !== undefined) {
        if (asideStatus === 'hide') {
          document.documentElement.classList.add('hide-aside')
        } else {
          document.documentElement.classList.remove('hide-aside')
        }
      }
    
    const detectApple = () => {
      if(/iPad|iPhone|iPod|Macintosh/.test(navigator.userAgent)){
        document.documentElement.classList.add('apple')
      }
    }
    detectApple()
    })(window)</script><meta name="generator" content="Hexo 6.3.0"></head><body><div id="sidebar"><div id="menu-mask"></div><div id="sidebar-menus"><div class="avatar-img is-center"><img src="/blogs/img/headpicture.png" onerror="onerror=null;src='/img/friend_404.gif'" alt="avatar"/></div><div class="sidebar-site-data site-data is-center"><a href="/blogs/archives/"><div class="headline">文章</div><div class="length-num">27</div></a><a href="/blogs/tags/"><div class="headline">标签</div><div class="length-num">0</div></a><a href="/blogs/categories/"><div class="headline">分类</div><div class="length-num">3</div></a></div><hr class="custom-hr"/><div class="menus_items"><div class="menus_item"><a class="site-page" href="/blogs/tags/"><i class="fa-fw fas fa-tags"></i><span> Tags</span></a></div><div class="menus_item"><a class="site-page" href="/blogs/categories/"><i class="fa-fw fas fa-folder-open"></i><span> Categories</span></a></div></div></div></div><div class="page" id="body-wrap"><header class="full_page" id="page-header" style="background-image: url('/blogs/img/wallhaven-9moko8_2560x1600.png')"><nav id="nav"><span id="blog-info"><a href="/blogs/" title="学海无涯苦作舟"><span class="site-name">学海无涯苦作舟</span></a></span><div id="menus"><div class="menus_items"><div class="menus_item"><a class="site-page" href="/blogs/tags/"><i class="fa-fw fas fa-tags"></i><span> Tags</span></a></div><div class="menus_item"><a class="site-page" href="/blogs/categories/"><i class="fa-fw fas fa-folder-open"></i><span> Categories</span></a></div></div><div id="toggle-menu"><a class="site-page" href="javascript:void(0);"><i class="fas fa-bars fa-fw"></i></a></div></div></nav><div id="site-info"><h1 id="site-title">学海无涯苦作舟</h1></div><div id="scroll-down"><i class="fas fa-angle-down scroll-down-effects"></i></div></header><main class="layout" id="content-inner"><div class="recent-posts" id="recent-posts"><div class="recent-post-item"><div class="recent-post-info no-cover"><a class="article-title" href="/blogs/2023/08/01/%E6%81%B6%E6%84%8F%E4%BB%A3%E7%A0%81%E5%AE%9E%E6%88%98%E5%88%86%E6%9E%90Lab%2011-3/" title="恶意代码实战分析11.3">恶意代码实战分析11.3</a><div class="article-meta-wrap"><span class="post-meta-date"><i class="far fa-calendar-alt"></i><span class="article-meta-label">发表于</span><time datetime="2023-08-01T15:26:52.000Z" title="发表于 2023-08-01 23:26:52">2023-08-01</time></span><span class="article-meta"><span class="article-meta-separator">|</span><i class="fas fa-inbox"></i><a class="article-meta__categories" href="/blogs/categories/%E6%81%B6%E6%84%8F%E4%BB%A3%E7%A0%81%E5%AE%9E%E6%88%98%E5%88%86%E6%9E%90/">恶意代码实战分析</a></span></div><div class="content">Lab 11-3分析恶意代码Lab11-03.exe和Lab11-03.dll。确保这两个文件在分析时位于同一个目录中。问题1．使用基础的静态分析过程，你可以发现什么有趣的线索?Lab11-03.exe:1.发现了”cmd.exe”字符串,说明可能是调用了控制台程序.
2.发现了”C:\WINDOWS\System32\inet_epar32.dll”一个文件路径.
3.发现”cisvc.exe”未知进程名.
4.导入了”MapViewOfFile”函数和”UnmapViewOfFile”函数可能存在文件手动映射.
5.发现字符串”Lab11-03.dll”实验dll文件.
6.发现一个类似账号密码一样的字符串”zzz69806582”.
Lab11-03.dll:1.发现”GetForegroundWindow”和”GetAsyncKeyState”这两个函数经常搭配获取用户正在输入的按键.
2.导出了一个奇怪的函数名”zzz69806582”刚好与exe里的字符串匹配,应该是exe调用这个导出函数.
3.还有一个dll路径但是这个dll不是系统的dll是外部生成的”C:\WINDO ...</div></div></div><div class="recent-post-item"><div class="recent-post-info no-cover"><a class="article-title" href="/blogs/2023/08/01/%E6%81%B6%E6%84%8F%E4%BB%A3%E7%A0%81%E5%AE%9E%E6%88%98%E5%88%86%E6%9E%90Lab%2012-1/" title="恶意代码实战分析12.1">恶意代码实战分析12.1</a><div class="article-meta-wrap"><span class="post-meta-date"><i class="far fa-calendar-alt"></i><span class="article-meta-label">发表于</span><time datetime="2023-08-01T15:26:52.000Z" title="发表于 2023-08-01 23:26:52">2023-08-01</time></span><span class="article-meta"><span class="article-meta-separator">|</span><i class="fas fa-inbox"></i><a class="article-meta__categories" href="/blogs/categories/%E6%81%B6%E6%84%8F%E4%BB%A3%E7%A0%81%E5%AE%9E%E6%88%98%E5%88%86%E6%9E%90/">恶意代码实战分析</a></span></div><div class="content">Lab 12-1分析在Lab12-01.exe和Lab12-01.dll文件中找到的恶意代码,并确保在分析时这些文件在同一目录中。问题1．在你运行恶意代码可执行文件时，会发生什么?1.每2分45秒会跳一个提示框,提示框上面写着”Practical Malware Analysis %d”,%d是线程的次数,提示框标题叫”Press OK to reboot”.
2.哪个进程会被注入?1.explorer.exe进程
3．你如何能够让恶意代码停止弹出窗口?除了重启电脑或者结束被注入的进程不然没有办法.
4.这个恶意代码样本是如何工作的?1.通过LoadLibraryA加载psapi.dll到进程中然后调用GetProcAddress获取EnumProcessModules和GetModuleBaseNameA和EnumProcesses.
2.通过GetCurrentDirectoryA获取当前路径然后通过字符串拼接”\Lab12-01.dll”,获取dll路径.
3.调用EnumProcesses获取电脑上所以运行的进程,再循环通过OpenProcess获取进程操作句柄,在调用Enum ...</div></div></div><div class="recent-post-item"><div class="recent-post-info no-cover"><a class="article-title" href="/blogs/2023/08/01/%E6%81%B6%E6%84%8F%E4%BB%A3%E7%A0%81%E5%AE%9E%E6%88%98%E5%88%86%E6%9E%90Lab%2012-2/" title="恶意代码实战分析12.2">恶意代码实战分析12.2</a><div class="article-meta-wrap"><span class="post-meta-date"><i class="far fa-calendar-alt"></i><span class="article-meta-label">发表于</span><time datetime="2023-08-01T15:26:52.000Z" title="发表于 2023-08-01 23:26:52">2023-08-01</time></span><span class="article-meta"><span class="article-meta-separator">|</span><i class="fas fa-inbox"></i><a class="article-meta__categories" href="/blogs/categories/%E6%81%B6%E6%84%8F%E4%BB%A3%E7%A0%81%E5%AE%9E%E6%88%98%E5%88%86%E6%9E%90/">恶意代码实战分析</a></span></div><div class="content">Lab 12-2分析在Lab12-02.exe文件中找到的恶意代码。问题1.这个程序的目的是什么?1.这个程序主要是加载键盘记录器到全局按键消息里.
2．启动器恶意代码是如何隐蔽执行的?1.将恶意代码加密后放到了资源资源段里.
2.通过进程替换把恶意代码放到了”C:\window\system32\svchost.exe”进程里.
3.恶意代码的负载存储在哪里?1.在资源表,存储在类型为UNICODE下名为LOCALIZATION中.
4．恶意负载是如何被保护的?1.通过ROR加密进行保护的.
5．字符串列表是如何被保护的?1.通过ROR异或0x41导致字符串全部被混淆了.
2.是通过0x00401000函数进行解密的.
</div></div></div><div class="recent-post-item"><div class="recent-post-info no-cover"><a class="article-title" href="/blogs/2023/08/01/%E6%81%B6%E6%84%8F%E4%BB%A3%E7%A0%81%E5%AE%9E%E6%88%98%E5%88%86%E6%9E%90Lab%2012-4/" title="恶意代码实战分析12.4">恶意代码实战分析12.4</a><div class="article-meta-wrap"><span class="post-meta-date"><i class="far fa-calendar-alt"></i><span class="article-meta-label">发表于</span><time datetime="2023-08-01T15:26:52.000Z" title="发表于 2023-08-01 23:26:52">2023-08-01</time></span><span class="article-meta"><span class="article-meta-separator">|</span><i class="fas fa-inbox"></i><a class="article-meta__categories" href="/blogs/categories/%E6%81%B6%E6%84%8F%E4%BB%A3%E7%A0%81%E5%AE%9E%E6%88%98%E5%88%86%E6%9E%90/">恶意代码实战分析</a></span></div><div class="content">Lab 12-4分析在Lab12-04.exe文件中找到的恶意代码。问题1.位置0x401000的代码完成了什么功能?1.通过pid判断是否是我们查找的进程,本文中是”winlogon.exe“.
2.代码注入了哪个进程?1.”winlogon.exe“进程.
3.使用LoadLibraryA装载了哪个DLL程序?1.一共装在了2个dll,一个是”psapi.dll”,另一个是”sfc_os.dll”.
4．传递给CreateRemoteThread调用的第4个参数是什么?1.第四个参数是sfc_os.dll文件中导出序号为2的函数地址,我上网了解到是一个名为SfcTerminateWatcherThread,描述:用于禁用 Windows 文件保护 （WFP） 并修改本来会受到保护的文件。SfcFileException 也可以用于此容量。
5．二进制主程序释放出了哪个恶意代码?1.恶意代码在文件的资源段里,类型为BIN下的0x65序号资源,进行了文件C:\window\system32\wupdmgr.exe覆盖.
6.释放出恶意代码的目的是什么?1.主要目的是为了更新病毒文件的, ...</div></div></div><div class="recent-post-item"><div class="recent-post-info no-cover"><a class="article-title" href="/blogs/2023/08/01/%E6%81%B6%E6%84%8F%E4%BB%A3%E7%A0%81%E5%AE%9E%E6%88%98%E5%88%86%E6%9E%90Lab%2012-3/" title="恶意代码实战分析12.3">恶意代码实战分析12.3</a><div class="article-meta-wrap"><span class="post-meta-date"><i class="far fa-calendar-alt"></i><span class="article-meta-label">发表于</span><time datetime="2023-08-01T15:26:52.000Z" title="发表于 2023-08-01 23:26:52">2023-08-01</time></span><span class="article-meta"><span class="article-meta-separator">|</span><i class="fas fa-inbox"></i><a class="article-meta__categories" href="/blogs/categories/%E6%81%B6%E6%84%8F%E4%BB%A3%E7%A0%81%E5%AE%9E%E6%88%98%E5%88%86%E6%9E%90/">恶意代码实战分析</a></span></div><div class="content">Lab 12-3分析在Lab 12-2实验过程中抽取出的恶意代码样本，或者使用Lab12-03.exe文件。问题1.这个恶意负载的目的是什么?1.加载一个全局键盘记录器到系统中,并记录按键保存在当前目录”practicalmalwareanalysis.log”文件中.
2.恶意负载是如何注入自身的?通过SetWindowsHookExA函数加载自身函数.
3.这个程序还创建了哪些其他文件?1.创建了””practicalmalwareanalysis.log””文件在当前目录,用于保存按键记录.
</div></div></div><div class="recent-post-item"><div class="recent-post-info no-cover"><a class="article-title" href="/blogs/2023/08/01/%E6%81%B6%E6%84%8F%E4%BB%A3%E7%A0%81%E5%AE%9E%E6%88%98%E5%88%86%E6%9E%90Lab%205-1/" title="恶意代码实战分析5.1">恶意代码实战分析5.1</a><div class="article-meta-wrap"><span class="post-meta-date"><i class="far fa-calendar-alt"></i><span class="article-meta-label">发表于</span><time datetime="2023-08-01T15:26:52.000Z" title="发表于 2023-08-01 23:26:52">2023-08-01</time></span><span class="article-meta"><span class="article-meta-separator">|</span><i class="fas fa-inbox"></i><a class="article-meta__categories" href="/blogs/categories/%E6%81%B6%E6%84%8F%E4%BB%A3%E7%A0%81%E5%AE%9E%E6%88%98%E5%88%86%E6%9E%90/">恶意代码实战分析</a></span></div><div class="content">Lab 5-1只用IDA Pro分析在文件Lab05-01.dll中发现的恶意代码。这个实验的目标是给你一个用IDA Pro动手的经验。如果你已经用IDA Pro工作过，你可以选择忽略这些问题，而将精力集中在逆向工程恶意代码上。问题1.DllMain的地址是什么?在0x1000D02E.
2．使用Imports 窗口并浏览到gethostbyname，导入函数定位到什么地址?在0x100163CC.
3．有多少函数调用了gethostbyname ?
5个不同函数调用了9次(同一个地址以不同形式重复显示了).
4．将精力集中在位于0x10001757处的对gethostbyname的调用，你能找出哪个DNS 请求将被触发吗?触发此域名’pics.praticalmalwareanalysis.com’.
5.IDA Pro识别了在0x10001656处的子过程中的多少个局部变量?
方框是IDA识别出的局部变量(23个).但实际是一共678个字节.
6. IDA Pro识别了在0x10001656处的子过程中的多少个参数?一个参数,看上图箭头标识.
7．使用Strings窗口，来在反汇编 ...</div></div></div><div class="recent-post-item"><div class="recent-post-info no-cover"><a class="article-title" href="/blogs/2023/08/01/%E6%81%B6%E6%84%8F%E4%BB%A3%E7%A0%81%E5%AE%9E%E6%88%98%E5%88%86%E6%9E%90Lab%206-1/" title="恶意代码实战分析6.1">恶意代码实战分析6.1</a><div class="article-meta-wrap"><span class="post-meta-date"><i class="far fa-calendar-alt"></i><span class="article-meta-label">发表于</span><time datetime="2023-08-01T15:26:52.000Z" title="发表于 2023-08-01 23:26:52">2023-08-01</time></span><span class="article-meta"><span class="article-meta-separator">|</span><i class="fas fa-inbox"></i><a class="article-meta__categories" href="/blogs/categories/%E6%81%B6%E6%84%8F%E4%BB%A3%E7%A0%81%E5%AE%9E%E6%88%98%E5%88%86%E6%9E%90/">恶意代码实战分析</a></span></div><div class="content">Lab 6-1在这个实验中，你将分析在文件Lab06-01.exe中发现的恶意代码。问题1．由main函数调用的唯一子过程中发现的主要代码结构是什么?
2.位于0x40105F的子过程是什么?打印字符串.(使用的是老版printf函数). 
3．这个程序的目的是什么?获取网络连接状态通过InternetGetConnectedState函数获取返回状态,通过返回状态打印相对的字符串(告知连接状态),成功打印”Success: Internet Connection\n”,失败打印”Error 1.1: No Internet\n”.
</div></div></div><div class="recent-post-item"><div class="recent-post-info no-cover"><a class="article-title" href="/blogs/2023/08/01/%E6%81%B6%E6%84%8F%E4%BB%A3%E7%A0%81%E5%AE%9E%E6%88%98%E5%88%86%E6%9E%90Lab%206-4/" title="恶意代码实战分析6.4">恶意代码实战分析6.4</a><div class="article-meta-wrap"><span class="post-meta-date"><i class="far fa-calendar-alt"></i><span class="article-meta-label">发表于</span><time datetime="2023-08-01T15:26:52.000Z" title="发表于 2023-08-01 23:26:52">2023-08-01</time></span><span class="article-meta"><span class="article-meta-separator">|</span><i class="fas fa-inbox"></i><a class="article-meta__categories" href="/blogs/categories/%E6%81%B6%E6%84%8F%E4%BB%A3%E7%A0%81%E5%AE%9E%E6%88%98%E5%88%86%E6%9E%90/">恶意代码实战分析</a></span></div><div class="content">Lab 6-4在这个实验中，我们会分析在文件Lab06-04.exe中发现的恶意代码问题1.在实验6-3和6-4的main函数中的调用之间的区别是什么?增加了一个循环,循环的上限是1440次.
2.什么新的代码结构已经被添加到main中?for循环语句加入了main函数中.
3.这个实验的解析HTML的函数和前面实验中的那些有什么区别?1.在函数开头的地方根据循环的次数设置了UA字段并打印.
4.这个程序会运行多久?（假设它已经连接到互联网。)1.如果页面数据少于1,440字节有多字节运行多少分钟,最大不会超过1440分钟.
5．在这个恶意代码中有什么新的基于网络的迹象吗?每次UA都会”Internet Explorer 7.50&#x2F;pma%d”随着次数+1.
6.这个恶意代码的目的是什么?根据指定页面的代码内容,根据页面代码内容循环的执行一系列功能代码.因为页面现在访问不了了.
</div></div></div><div class="recent-post-item"><div class="recent-post-info no-cover"><a class="article-title" href="/blogs/2023/08/01/%E6%81%B6%E6%84%8F%E4%BB%A3%E7%A0%81%E5%AE%9E%E6%88%98%E5%88%86%E6%9E%90Lab%206-2/" title="恶意代码实战分析6.2">恶意代码实战分析6.2</a><div class="article-meta-wrap"><span class="post-meta-date"><i class="far fa-calendar-alt"></i><span class="article-meta-label">发表于</span><time datetime="2023-08-01T15:26:52.000Z" title="发表于 2023-08-01 23:26:52">2023-08-01</time></span><span class="article-meta"><span class="article-meta-separator">|</span><i class="fas fa-inbox"></i><a class="article-meta__categories" href="/blogs/categories/%E6%81%B6%E6%84%8F%E4%BB%A3%E7%A0%81%E5%AE%9E%E6%88%98%E5%88%86%E6%9E%90/">恶意代码实战分析</a></span></div><div class="content">Lab 6-2分析在文件Lab06-02.exe中发现的恶意代码。问题1.main函数调用的第一个子过程执行了什么操作?1.是个if语句.通过InternetGetConnectedState函数检查 网络连接状态.函数返回0打印”Error 1.1: No Internet\n”,返回1打印”Success: Internet Connection\n”.
2.位于0x40117F的子过程是什么?打印函数printf.
3．被main函数调用的第二个子过程做了什么?
1.调用InternetOpenA函数初始化应用程序对 WinINet 函数的使用。
2.调用InternetOpenUrlA打开URL’http://www.practicalmalwareanalysis.com/cc.htm‘.
3.如果失败了调用InternetCloseHandle清理网络初始化环境,返回结果为0退出函数.
4.如果成功调用InternetReadFile读取用InternetOpenUrlA打开连接里面的数据.
5.InternetReadFile函数返回失败,调用InternetCloseH ...</div></div></div><div class="recent-post-item"><div class="recent-post-info no-cover"><a class="article-title" href="/blogs/2023/08/01/%E6%81%B6%E6%84%8F%E4%BB%A3%E7%A0%81%E5%AE%9E%E6%88%98%E5%88%86%E6%9E%90Lab%207-2/" title="恶意代码实战分析7.2">恶意代码实战分析7.2</a><div class="article-meta-wrap"><span class="post-meta-date"><i class="far fa-calendar-alt"></i><span class="article-meta-label">发表于</span><time datetime="2023-08-01T15:26:52.000Z" title="发表于 2023-08-01 23:26:52">2023-08-01</time></span><span class="article-meta"><span class="article-meta-separator">|</span><i class="fas fa-inbox"></i><a class="article-meta__categories" href="/blogs/categories/%E6%81%B6%E6%84%8F%E4%BB%A3%E7%A0%81%E5%AE%9E%E6%88%98%E5%88%86%E6%9E%90/">恶意代码实战分析</a></span></div><div class="content">Lab 7-2分析在文件Lab07-02.exe中发现的恶意代码。问题1.这个程序如何完成持久化驻留?1.这个程序没有永久驻留,运行完一次就结束了.
2.这个程序的目的是什么?图1:
图2:
图3:
图4:
图5:
查找对应的对象的方法_不一定对,参数对照图1:通过参数1得到注册表HKEY_CLASSES_ROOT\CLSID键中的子键看图2,参数3是指定你获取表项中的子键看图2,本文中填写的是LocalServer32,参数4指定了类名,类名在HKEY_CLASSES_ROOT\Interface键中查看图3,本文是{D30C1661-CDAF-11D0-8A3E-00C04FC9E26E}所以类名是IWebBrowser2,可以看见里面还有个ProxyStubClsid32子键这个里面存着这个类所属的CLSID,还有一个TypeLib子键这个表示这个类对象是从哪个库里获取的,详情看图4,本文是{EAB22AC0-30C1-11CF-A7EB-0000C05BAE0B},根据TypeLib里面GUID,去HKEY_CLASSES_ROOT\TypeLib中查找可以看图5,根据Type ...</div></div></div><nav id="pagination"><div class="pagination"><a class="extend prev" rel="prev" href="/blogs/"><i class="fas fa-chevron-left fa-fw"></i></a><a class="page-number" href="/blogs/">1</a><span class="page-number current">2</span><a class="page-number" href="/blogs/page/3/#content-inner">3</a><a class="extend next" rel="next" href="/blogs/page/3/#content-inner"><i class="fas fa-chevron-right fa-fw"></i></a></div></nav></div><div class="aside-content" id="aside-content"><div class="card-widget card-info"><div class="is-center"><div class="avatar-img"><img src="/blogs/img/headpicture.png" onerror="this.onerror=null;this.src='/blogs/img/friend_404.gif'" alt="avatar"/></div><div class="author-info__name">小乾</div><div class="author-info__description"></div></div><div class="card-info-data site-data is-center"><a href="/blogs/archives/"><div class="headline">文章</div><div class="length-num">27</div></a><a href="/blogs/tags/"><div class="headline">标签</div><div class="length-num">0</div></a><a href="/blogs/categories/"><div class="headline">分类</div><div class="length-num">3</div></a></div><a id="card-info-btn" target="_blank" rel="noopener" href="https://gitee.com/xiaoqian2000"><i class="fab fa-github"></i><span>Follow Me</span></a></div><div class="card-widget card-announcement"><div class="item-headline"><i class="fas fa-bullhorn fa-shake"></i><span>公告</span></div><div class="announcement_content">欢迎学习和讨论</div></div><div class="sticky_layout"><div class="card-widget card-recent-post"><div class="item-headline"><i class="fas fa-history"></i><span>最新文章</span></div><div class="aside-list"><div class="aside-list-item no-cover"><div class="content"><a class="title" href="/blogs/2023/08/20/Window10%20SwapContext%E5%88%86%E6%9E%90/" title="Win10 X64 1904 线程交换SwapContext分析">Win10 X64 1904 线程交换SwapContext分析</a><time datetime="2023-08-20T13:21:52.000Z" title="发表于 2023-08-20 21:21:52">2023-08-20</time></div></div><div class="aside-list-item no-cover"><div class="content"><a class="title" href="/blogs/2023/08/20/win10%20%E7%B3%BB%E7%BB%9F%E8%B0%83%E7%94%A8/" title="Win10 X64 1904 系统调用">Win10 X64 1904 系统调用</a><time datetime="2023-08-20T13:21:52.000Z" title="发表于 2023-08-20 21:21:52">2023-08-20</time></div></div><div class="aside-list-item no-cover"><div class="content"><a class="title" href="/blogs/2023/08/20/C++%E7%B1%BB%E7%9A%84%E5%86%85%E5%AD%98%E5%88%86%E5%B8%83/" title="C++类的内存分布">C++类的内存分布</a><time datetime="2023-08-20T11:51:52.000Z" title="发表于 2023-08-20 19:51:52">2023-08-20</time></div></div><div class="aside-list-item no-cover"><div class="content"><a class="title" href="/blogs/2023/08/15/decltpye%E8%AE%B2%E8%A7%A3/" title="decltpye:讲解">decltpye:讲解</a><time datetime="2023-08-14T16:03:52.000Z" title="发表于 2023-08-15 00:03:52">2023-08-15</time></div></div><div class="aside-list-item no-cover"><div class="content"><a class="title" href="/blogs/2023/08/01/%E6%81%B6%E6%84%8F%E4%BB%A3%E7%A0%81%E5%AE%9E%E6%88%98%E5%88%86%E6%9E%90Lab%2010-1/" title="恶意代码实战分析10.1">恶意代码实战分析10.1</a><time datetime="2023-08-01T15:26:52.000Z" title="发表于 2023-08-01 23:26:52">2023-08-01</time></div></div></div></div><div class="card-widget card-categories"><div class="item-headline">
            <i class="fas fa-folder-open"></i>
            <span>分类</span>
            
            </div>
            <ul class="card-category-list" id="aside-cat-list">
            <li class="card-category-list-item "><a class="card-category-list-link" href="/blogs/categories/Effective-Modern-C/"><span class="card-category-list-name">Effective Modern C++</span><span class="card-category-list-count">2</span></a></li><li class="card-category-list-item "><a class="card-category-list-link" href="/blogs/categories/windows%E5%86%85%E6%A0%B8%E7%9F%A5%E8%AF%86/"><span class="card-category-list-name">windows内核知识</span><span class="card-category-list-count">2</span></a></li><li class="card-category-list-item "><a class="card-category-list-link" href="/blogs/categories/%E6%81%B6%E6%84%8F%E4%BB%A3%E7%A0%81%E5%AE%9E%E6%88%98%E5%88%86%E6%9E%90/"><span class="card-category-list-name">恶意代码实战分析</span><span class="card-category-list-count">23</span></a></li>
            </ul></div><div class="card-widget card-archives"><div class="item-headline"><i class="fas fa-archive"></i><span>归档</span></div><ul class="card-archive-list"><li class="card-archive-list-item"><a class="card-archive-list-link" href="/blogs/archives/2023/08/"><span class="card-archive-list-date">八月 2023</span><span class="card-archive-list-count">27</span></a></li></ul></div><div class="card-widget card-webinfo"><div class="item-headline"><i class="fas fa-chart-line"></i><span>网站资讯</span></div><div class="webinfo"><div class="webinfo-item"><div class="item-name">文章数目 :</div><div class="item-count">27</div></div><div class="webinfo-item"><div class="item-name">本站访客数 :</div><div class="item-count" id="busuanzi_value_site_uv"><i class="fa-solid fa-spinner fa-spin"></i></div></div><div class="webinfo-item"><div class="item-name">本站总访问量 :</div><div class="item-count" id="busuanzi_value_site_pv"><i class="fa-solid fa-spinner fa-spin"></i></div></div><div class="webinfo-item"><div class="item-name">最后更新时间 :</div><div class="item-count" id="last-push-date" data-lastPushDate="2023-09-19T10:27:22.405Z"><i class="fa-solid fa-spinner fa-spin"></i></div></div></div></div></div></div></main><footer id="footer"><div id="footer-wrap"><div class="copyright">&copy;2020 - 2023 By 小乾</div><div class="framework-info"><span>框架 </span><a target="_blank" rel="noopener" href="https://hexo.io">Hexo</a><span class="footer-separator">|</span><span>主题 </span><a target="_blank" rel="noopener" href="https://github.com/jerryc127/hexo-theme-butterfly">Butterfly</a></div></div></footer></div><div id="rightside"><div id="rightside-config-hide"><button id="darkmode" type="button" title="浅色和深色模式转换"><i class="fas fa-adjust"></i></button><button id="hide-aside-btn" type="button" title="单栏和双栏切换"><i class="fas fa-arrows-alt-h"></i></button></div><div id="rightside-config-show"><button id="rightside_config" type="button" title="设置"><i class="fas fa-cog fa-spin"></i></button><button id="go-up" type="button" title="回到顶部"><span class="scroll-percent"></span><i class="fas fa-arrow-up"></i></button></div></div><div><script src="/blogs/js/utils.js"></script><script src="/blogs/js/main.js"></script><script src="https://cdn.jsdelivr.net/npm/@fancyapps/ui/dist/fancybox/fancybox.umd.min.js"></script><div class="js-pjax"></div><script async data-pjax src="//busuanzi.ibruce.info/busuanzi/2.3/busuanzi.pure.mini.js"></script></div></body></html>